Procuring educational technology (EdTech)
Procuring EdTech and what schools need to know about data protection.
This guidance will help schools follow data protection legislation when procuring educational technology (EdTech). It focuses on digital tools and systems schools use to support or deliver education. EdTech can help schools manage learning, communication and assessment more effectively and provide engaging and accessible methods of learning to pupils. Most EdTech tools collect and use personal data about pupils, parents and staff.
When you buy or start using EdTech, you must make sure that the processing of personal data complies with data protection law. Ensuring that data protection by design and by default is built into the use of any tool. This means that the supplier or developer of the tool has designed it to require only the minimum necessary data for a specific purpose, non-core features switched ‘off’ by default, with appropriate safeguards built in from the start.
This guidance suggests what schools should consider before, during and after procuring EdTech tools for learning and the key points that you should discuss with a potential supplier.
Guidance on buying for schools is also available, where you can access free resources or advice from procurement specialists.
The Information Commissioners Office (ICO) worked directly with EdTech providers to review and improve data protection practices, read the Edtech examined report. It details common data protection risks and areas for improvement. Schools should take these findings into consideration when procuring EdTech tools
When procuring goods and services it’s important to consider the data protection implications and consult with your Data Protection Officer (DPO) at the very start and throughout the implementation of any tool. You should consider the following
Here’s a list data protection considerations when buying EdTech.
You must complete a DPIA when the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. High-risk processing, such as profiling pupils or processing biometric data on a large scale, usually requires a DPIA.
When completing the DPIA you will need to understand how the personal data is processed and managed. It should be completed as early as possible and ideally before any decisions are made on how personal data will be processed.
This will support you in your discussions with the suppliers as they can provide information to assist in completing the DPIA.
You should:
- ask them to provide you with details of their policies and procedures so you can review them and ensure they align with your own internal requirements
- consult your DPO for their advice and expertise during the DPIA process
- keep your DPIA updated as and when changes to the processing occur such as if there are changes or updates within the tool
The next section will support you in completing your DPIA and help you to decide whether to move forward with the prospective supplier.
You will need to understand what personal data the tool will process including whether any of that will be special category data such as health information. If the processing involves special category data, then extra protection is needed as it presents a higher risk to the rights and freedoms of individuals.
You should not be processing or collecting any additional personal data than you require. Ask the supplier to explain why each category of data is necessary. The data collection must be limited to what is essential for the tool’s educational purpose.
When processing personal data, you require a valid reason and a lawful basis. You need to consider whether you will rely on public task, legitimate interests, consent, or another lawful basis, and document this. If special category data is being processed, ensure that the necessary additional conditions are met under UK GDPR.
You may consider public task as a lawful basis if the tool enables you to carry out your school’s official duties. However, if the tool has additional features that are beyond the scope of your instructions in performing your official duties, public task will not be appropriate for this additional processing. Also, the school may not be the data controller for this element of the processing if it is outside of the original instructions to use the tool. Particularly if parents or carers choose to use the additional features the tool has.
If you are relying on consent, ensure that there is a suitable mechanism in place for obtaining consent and parents have a choice in how the personal data will be processed. Consent can also be withdrawn at any time so you will need to consider whether this is the most appropriate lawful basis for this activity, if it is you need to have a clear opt-out process.
Some tools may involve parents and carers of the pupils. Depending on the lawful basis you may need to obtain consent from the parents and carers.
Example: collecting appropriate personal data
When procuring a new management information system (MIS), the school reviews the personal data it will process, such as pupil names, contact details, attendance, and assessment data. The supplier also has fields for additional information, including medical conditions and SEND information, which are special category data.
The school assesses the purpose and lawful basis for processing each category of data. As information such as SEND and medical data is necessary to support pupils’ educational needs, the school retains these fields. Where optional fields are not required for the school’s purposes, these are reviewed and disabled to avoid collecting unnecessary information.
The school also has a maths practice application that pupils actively use. This only requires pupil name, class, and login details, and should not require sensitive information or wider data held in the MIS. The school checks that the personal data collected by the tool is proportionate to its needs and not expanded simply because more data is available in the MIS.
You need to understand how personal data is handled and shared throughout its entire lifecycle so that you can identify, reduce, or mitigate any associated risks. This will help you to understand if any additional safeguards or technical measures need to be put into place to protect the personal data.
To support you in being transparent about what happens with personal data, ask the supplier to walk through the way the personal data flows and what happens with it at every stage. If they cannot provide this, then ask them to find out so you are aware of how the personal data is processed before procuring a product.
Schools are usually data controllers for the personal data they process. You need to understand the roles of the school and the supplier, so you can determine whether the supplier is acting as a processor or joint controller for any features.
You should also consider if they use any other organisations as sub-processors to perform any element of the processing. This is so that you know who will have access to the personal data and for what purpose.
If the tool has additional features outside of the school’s requirements that parents can sign up for, you will need to consider that the supplier is likely to be the data controller.
Make sure responsibilities are clearly assigned in a contract or data processing agreement. Before signing any contracts or agreements with the supplier, check all clauses to ensure they meet your requirements and challenge any that you are unhappy with. This should cover security measures, sub-processors, deletion and return of data, breach notification, and staff access control.
Example: when a supplier could be a data controller and the use of artificial intelligence (AI)
A school would like to use an AI writing tool to support pupils in developing their spelling and grammar.
The tool requires the pupil’s name and email address. However, depending on what the pupil enters into the tool, further personal data could be processed. Such as if a pupil documents their weekend activities, for example a visit to a place of worship or a medical appointment.
Throughout discussions with the supplier the school established that personal data is stored outside of the UK. Also, any data typed by the pupil could be used to develop AI functionality and improve the features of the tool.
The school would be the data controller for the personal data generated by pupils. However, where the tool processes personal data for its own purposes to develop the AI functionality, the supplier would be considered an independent data controller for that activity.
As the function to develop AI could not be turned off, combined with the storage of data outside the UK, the school determined that the supplier did not meet its internal policy requirements and chose not to proceed.
If the tool uses AI, then there are other specific AI data protection considerations for you to review.
Schools must ensure that the systems and products used align with their own internal safeguarding and online security policies and the safeguarding duties detailed in Keeping children safe in education guidance .
There are many factors schools need to consider and discuss with the supplier to reduce or mitigate any associated data protection risks. You must assess how AI is used in the tool, including whether it:
- generates content or responds to pupil information
- personalises learning using pupil data
- processes any further pupil personal data or enables interaction with chatbots, other pupils or teachers within the school or even people outside of the school
- uses automated decision-making or profiling
Suppliers must be able to explain how their tool works, including:
- how the AI outputs are moderated
- if the data is used to train the AI model
- how inaccuracies and biases are mitigated
- what controls and restrictions the schools have available to them
Schools need to understand any risks to the pupils and if they could be exposed to harmful, inappropriate, inaccurate or biased content generated by the AI tool. AI tools must allow for monitoring and supervision by appropriate and authorised members of staff in the school.
Your DPO and designated safeguarding lead should be consulted before a decision is made on whether to procure the tool.
Ongoing monitoring of AI tools is required to ensure that any new risks are mitigated, and the processing still conforms to your policies. When updates are made to the tool, review these so you are aware of the changes and if there is any further use of AI, taking appropriate action to ensure ongoing compliance of data protection legislation.
Schools are not directly in scope of the Information Commissioner’s Children’s code as they are not an information society service, but any EdTech tools that you procure often are.
It is important that the data controller’s relationship is established early as the code applies if the supplier is acting as a controller or a joint controller. If the supplier is exercising control over the purpose and means of processing children’s personal data then they need to abide by the code. If they are processing for their own purposes beyond the school’s instructions, then they would need their own lawful basis.
When you are liaising with suppliers, you must ensure that they meet the standards within the code. Liaise with the suppliers to clarify the questions you have and challenge when you are not clear on the answers provided.
Schools have a statutory responsibility to keep children safe in school. When procuring tools or technology that children may have access to, there needs to be appropriate filtering and monitoring systems in place as detailed in the Keeping children safe in education guidance.
As the tool will be using personal data relating to pupils, security and safety is extremely important. Safeguarding applies to tools and systems. If there are any doubts that it may not fully protect pupils or their personal data, then this supplier may not be appropriate for your school. Your designated safeguarding lead should also be involved in decisions around the procurement of the supplier.
The tool should include an audit trail enabling safeguarding leads to monitor and review pupil usage, ensuring their safety and compliance with internal policies and safeguarding requirements
As and when there are changes or updates to the tool, review these to confirm that there are no changes to the way personal data is processed. You can discuss these with your supplier to ensure that any updates that involved further processing of additional personal data are not automatically switched ‘on’. If you then proceed and the changes include further processing of personal data, review and update the DPIA and privacy notices as appropriate.
You should review and update your policies and make them clear and accessible, this is particularly important where the tools are used for different types of users such as pupils, teachers and parents and carers.
Consider where and how data is stored, including any international transfers if the data is held or processed outside of the UK. UK GDPR enforces rules around these transfers to ensure that individuals have their rights about their personal data protected.
The supplier must have adequate safeguards in place for transfers outside the UK, and that storage locations meet your school’s security requirements.
Review retention and deletion policies. Clarify how long data will be kept and if that is appropriate for the pupils, parents and staff. Discover how it will be deleted or returned at the end of the contract, and how backups and caches are handled. Once you have established this, you should review your policies to ensure that the processing meets your requirements.
Ask the supplier about data portability, this is in case you switch providers and wish to export the data to use with a new supplier.
You should plan for how personal data will be managed at the end of the contract with the supplier. Confirm how data will be returned to the school and how any remaining data held by the supplier will be securely deleted. Ensure that clear timescales are agreed for data transfer and deletion, including how backups and archives will be handled. The supplier should provide confirmation once deletion has taken place. Planning this at the start helps reduce the risk of a data loss and ensures compliance with data protection legislation when changing or ending a contract.
Evaluate how the supplier manages security. You should ask about technical measures such as:
- encryption
- secure authentication
- audit logging
- intrusion detection
Using these means that the personal data is safe and secure. Find out whether the supplier undergoes independent audits, holds security certifications, or publishes penetration test reports. You should discuss this with your IT or security lead to make sure that it is appropriate to use and meets the requirements your school expects.
Example: reviewing security for a homework EdTech tool
A school would like to use a platform to make completing and reviewing homework easier for pupils and teachers. It will store pupil names, teacher names, classes, and information relating to the homework activity.
One of the questions the school asks the supplier is how the personal data will be protected. The supplier explains that data is encrypted when stored and when transmitted, staff access is protected by multi-factor authentication, and audit logs are kept to record who accesses or changes information.
They confirm they have systems in place to detect unusual activity.
The school’s IT lead reviews this information and checks that the supplier holds a security certification that aligns with the school’s policies and the tool undergoes regular independent security testing.
Based on this, the school is satisfied that the supplier’s security measures are appropriate for the type of personal data being processed and meet their expected standards. The school sets a review period to ensure the tool is working as expected and has regular conversations with the supplier, so they are aware of upcoming changes to the tool. As and when changes occur, the DPO is consulted and the DPIA updated.
Examine the support the supplier can offer for data subject rights. You need to be able to respond to subject access requests (SARs) and requests for rectification, erasure, objections and portability. Confirm that the supplier enables the school to respond to these requests in line with UK GDPR. Review your own internal guidance on data subjects’ rights to ensure that those completing these are aware of the arrangements with the supplier.
Establishing roles and responsibilities and the data controller relationship early on, makes responding to data loss events more quickly and efficiently.
Look at how the supplier will deal with an incident, how quickly they are able to notify the school and what you would require from them to appropriately respond to the breach and if necessary, report it to the ICO. Verify that their response meets the school’s requirements and that it is all documented in the signed agreement between both parties.
Plan for ongoing monitoring. It’s useful to set review periods with the supplier to discuss performance and raise any issues that you may have.
Establish procedures to review the supplier’s performance, security updates, any changes to processing activities, and compliance with contractual obligations. If there are any changes to how personal data is processed, update your privacy notices and inform parents.
Example: ongoing monitoring and changing supplier
A school uses a library management system to track book loans, the personal data processed includes name, class and year group.
The school has termly reviews to discuss system performance and raise any non-urgent issues reported by staff or pupils. During these reviews, the school checks that the system is meeting agreed service standards and that support requests are resolved in a timely way.
The school reviews updates from the supplier, including security updates and any changes to how personal data is stored or accessed. When the supplier introduces a new feature allowing for remote access, the school checks how this affects data processing and requests this feature is disabled as it’s not required.
As technology develops, the school’s needs change and they would like their library management system to link to their parent and carer communications app. This way parents and carers can be informed about late books and receive all messages through one application.
Throughout discussions it becomes apparent that this is not possible with their current tool.
At the end of the contract, the school decides to move to a different supplier that better meets their requirements. The school reviews and updates the DPIA and privacy notice based on the use of the new tool.
As an exit plan was agreed at the start, the school is able to export all pupil borrowing data. The original supplier then securely deletes any remaining personal data and provides confirmation, in compliance with the contract and UK GDPR. This is transferred to the new supplier within the agreed timescales set out in the contract and there is minimal downtime caused to the library system.